By Christopher Sicuranza
The lines between personal and business communications continue to blur and regulatory agencies are taking notice. Employees are required to leverage company-approved channels (for example, corporate-owned devices or applications that allow the firm to retain employee messages) to send electronic business communications; however, in this remote working environment, many are turning to unapproved channels (e.g., WhatsApp) to conduct business. These unapproved channels leave regulated financial firms at risk of not retaining records of business activities, in violation of regulatory statutes. Regulators, including the U.S. Securities and Exchange Commission, the Commodity Futures Trading Commission, and the Financial Industry Regulatory Authority have all levied significant fines against firms that conduct business activity on unapproved channels.
The use of unapproved electronic communication channels presents a unique challenge for financial institutions. For one, the topic is a highly complex one without clearly established precedent or industry best practices. While regulations dictate the specific retention requirements that firms must adhere to, the actual implementation of these requirements and the associated frameworks, processes, and controls is unclear. Each firm may have its preferred methodology for satisfying the requirements based on available resources, risk exposure and tolerance, technology infrastructure, and business-specific nuances. As a result, institutions facing this issue are often making strategic decisions against a moving target.
Complex regulatory requirements and the need to coordinate resources across the firm are key to solving unapproved channel use. In addition to spanning different lines of business and geographic locations, the issue impacts and requires buy-in from almost all firm disciplines, including Technology, Compliance, Risk, Legal, Controls, Human Resources, and all lines of defense. Given the level of risk and heightened regulatory oversight, it is critical to involve senior stakeholders who have the ability and authority to make key program decisions.
The unique complexities associated with unapproved channel use demand a centralized program. While program design may vary by firm, core initial responsibilities should include establishing the appropriate level of prioritization and senior oversight for the program, confirming regulatory scope and establishing associated program workstreams, identifying required stakeholders across the firm, and assigning sufficient internal and external resources. Once established, the program should assess the firm’s current state infrastructure and its ability to monitor and report on unapproved channel use against regulations (e.g., policies and procedures, controls, technology) and appropriately address any identified gaps.
Any such assessment should consider and account for the following:
With a remote and largely decentralized workforce, it can be challenging for institutions to determine when unapproved channels are being used to conduct business and to take appropriate steps to respond to potential policy violations. Despite these challenges, financial institutions must be proactive about the identification and mitigation of unapproved channel use, as a failure to be vigilant can damage the firm’s reputation and bottom line.
This article is co-authored by Ryan Brush.
Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.